What You Need to Know About Two-Factor Authentication

A hacker who steals your bank password can transfer funds from your account, but a hacker who steals your ATM card PIN can't make a withdrawal. He doesn't have the card. A two-factor authentication system requires both something you know and something you have, so it's much more secure.

We're all so accustomed to authenticating our identity by entering a username and password that we rarely think about how inherently lame that system is, security-wise. Stolen passwords and personal data are big news, because once a malefactor obtains your login credentials he gains total control over your bank account, Facebook page, or whatever you were protecting.

A hacker armed with your bank account password can steal your money, but a hacker who just gets your ATM card PIN can't withdraw a stack of twenties. Why? He doesn't have the card itself. To get money from the ATM, you must have the card and know the PIN. This combination of "something you have" and "something you know" is a form of two-factor authentication.

Another possible component in two-factor authentication is "something you are," such as your fingerprint. Many modern laptops include a fingerprint scanner built in. Don't have one? It's simple enough to connect a third-party USB-based scanner. Other biometric techniques like iris or facial recognition also fall in this category.

Smartphones for Security
Google's Google Authenticator project is a smartphone app that generates a time-based one-time security code. To log in with Google Authenticator, you launch the app and enter the currently-displayed code. In addition to securing your Google account, you can use it with supporting third-party apps including LastPass 2.0.

Many banks use a different sort of smartphone-based system to authenticate financial transactions. Before approving the transaction, the bank's software sends a text message to your phone number of record and waits for you to enter the code found in this message. This system can be defeated if both the PC and smartphone have been compromised by malware, or if the crooks manage to change the phone number of record, so keep your antivirus protection up to date.

Security Gadgets
It's not uncommon for large businesses to require validation through a security token, a device that generates an ever-changing security code synchronized with the company's servers. To connect with the corporate network, you enter your password and also enter the code currently displayed by the token. Don't lose that token or you'll be locked out until the IT department can get you a new one.

When you insert a YubiKey into your computer's USB port and touch its button, it types in a one-time password. Of course, the site or service you're logging into must support YubiKey authentication. YubiKey support is a feature of LastPass 2.0 Premium . Both RoboForm Desktop 7 and LastPass (free and Premium) also support fingerprint-based authentication.

A USB-based secure storage device like MyLOK Personal or IronKey Personal S200 by its very nature uses two-factor authentication. To get at the secured information you must have the device itself in your possession and also know the master password.

For the ultimate in low-tech two-factor authentication, LastPass users can print a wallet-sized card with a grid of random characters. At login time, LastPass will ask for the characters found at specific row/column coordinates.

Get Two-Factor Authentication
So how can you take advantage of the added security offered by two-factor authentication? If you're using a password manager that includes two-factor support, turn it on! You want maximum protection for a utility that stores all of your other passwords.

You may find that your bank or credit card provider supports some kind of two-factor authentication. Perhaps they emailed you about it, but you didn't think it important at the time. As noted, with some banks you can sign up for SMS-based authentication. Others will send you a security token on request. Check the bank's website, or call customer service.

When two-factor authentication is involved, hackers lose interest. They'll get a much bigger payoff focusing on accounts protected with nothing but a password. You may spend a few extra seconds swiping a fingerprint or entering a one-time code, but the security payoff is huge.

About the Author

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted b... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.